Bring SNI behavior into better conformance with RFC 6066:

- no longer send a warning-level unrecognized_name(112) alert when no matching vhost is found (PR 56241) - at startup, only issue warnings about IP/port conflicts and name-based SSL vhosts when running with an OpenSSL without TLS extension support (almost 5 years after SNI was added to 2.2.x, the "[...] only work for clients with TLS server name indication support" warning feels obsolete) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1585090 13f79535-47bb-0310-9956-ffa450edef68
2025-08-07 04:02:58 +03:00 · 2014-04-05 12:57:43 +00:00
parent edbbc1acda
commit cbba0dbc00
3 changed files with 37 additions and 25 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1404,13 +1404,16 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s,

 apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
 {
-    server_rec *s, *ps;
+    server_rec *s;
    SSLSrvConfigRec *sc;
+#ifndef HAVE_TLSEXT
+    server_rec *ps;
    apr_hash_t *table;
    const char *key;
    apr_ssize_t klen;

    BOOL conflict = FALSE;
+#endif

    /*
     * Give out warnings when a server has HTTPS configured
@@ -1438,11 +1441,11 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
        }
    }

+#ifndef HAVE_TLSEXT
    /*
     * Give out warnings when more than one SSL-aware virtual server uses the
-     * same IP:port. This doesn't work because mod_ssl then will always use
-     * just the certificate/keys of one virtual host (which one cannot be said
-     * easily - but that doesn't matter here).
+     * same IP:port and an OpenSSL version without support for TLS extensions
+     * (SNI in particular) is used.
     */
    table = apr_hash_make(p);

@@ -1460,17 +1463,10 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
        klen = strlen(key);

        if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
-#ifndef HAVE_TLSEXT
-            int level = APLOG_WARNING;
-            const char *problem = "conflict";
-#else
-            int level = APLOG_DEBUG;
-            const char *problem = "overlap";
-#endif
-            ap_log_error(APLOG_MARK, level, 0, base_server,
-                         "Init: SSL server IP/port %s: "
+            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server,
+                         "Init: SSL server IP/port conflict: "
                         "%s (%s:%d) vs. %s (%s:%d)",
-                         problem, ssl_util_vhostid(p, s),
+                         ssl_util_vhostid(p, s),
                         (s->defn_name ? s->defn_name : "unknown"),
                         s->defn_line_number,
                         ssl_util_vhostid(p, ps),
@@ -1484,17 +1480,14 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
    }

    if (conflict) {
-#ifndef HAVE_TLSEXT
        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
-                     "Init: You should not use name-based "
-                     "virtual hosts in conjunction with SSL!!");
-#else
-        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(02292)
-                     "Init: Name-based SSL virtual hosts only "
-                     "work for clients with TLS server name indication "
-                     "support (RFC 4366)");
-#endif
+                     "Init: Name-based SSL virtual hosts require "
+                     "an OpenSSL version with support for TLS extensions "
+                     "(RFC 6066 - Server Name Indication / SNI), "
+                     "but the currently used library version (%s) is "
+                     "lacking this feature", SSLeay_version(SSLEAY_VERSION));
    }
+#endif

    return APR_SUCCESS;
 }